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Abstract 

, At ISCAS'2005, Yen et al. presented a new chaos-based cryptosystem for multimedia transmission 

named "Multimedia Cryptography System" (MCS). No cryptanalytic results have been reported so far 
This paper presents a differential attack to break MCS, which requires only seven chosen plaintexts. The 
complexity of the attack is 0{N), where N is the size of plaintext. Experimental results are also given 
I to show the real performance of the proposed attack. 
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I. Introduction 

The prevalence of multimedia data makes its security become more and more important. However, 
traditional cryptosystems can not protect multimedia data efficiently due to the big differences be- 
tween texts and multimedia data, such as the bulky sizes and strong coiTclation between neighboring 
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H ' elements of uncompressed multimedia data. In addition, multimedia encryption schemes have some 
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special requirements like high bitrate and easy concatenation of different components of the whole 
multimedia processing system. So, designing special encryption schemes protecting multimedia data 
becomes necessary. To meet this challenge, a great number of multimedia encryption schemes have been 
proposed in the past two decades [1]-[11]. Due to the subtle similarity between chaos and cryptography, 
some of multimedia encryption schemes were designed based on one or more chaotic systems [3]-[5], [8], 
[9], [11]. Meanwhile, a lot of cryptanalytic work has also been reported, showing that many encryption 
schemes were not designed carefully and are prone to various kinds of attacks [12]-[23]. 

In the past decade, a series of encryption schemes were proposed by Yen and Guo's research group 
[24]-[28]. The main idea of these schemes is to combine some basic encryption operations, under the 
control of a pseudorandom bit sequence (PRBS) generated by iterating a chaotic system. Unfortunately, 
most of Yen-Guo multimedia encryption schemes have been successfully cryptanalyzed [29]-[33]. 

This paper reports a security analysis of MCS (Multimedia Cryptography System) - the latest multi- 
media encryption scheme proposed by Yen et al. [28]. Another hardware implementation of MCS was 
proposed in [34]. Compared with other earlier designs, such as RCES [26] and TDCEA [27], which 
have been cryptanalyzed in [29], [33], MCS combines more encryption operations of different kinds in 
a more complicated manner, in the hope that the security can be effectively enhanced. This paper shows 
that MCS is still vulnerable to a differential chosen-plaintext attack. Only seven chosen plaintexts (or six 
specific plaintext differentials) are enough to break MCS, with a divide-and-conquer (DAC) strategy. 

The rest of this paper is organized as follows. Section |ll] briefly introduces how MCS works. The 
proposed differential attack is detailed in Sec. |lll] with experimental results. Finally the last section 
concludes the paper. 

II. Multimedia Cryptography System (MCS) 

MCS encrypts the plaintext block by block, and each block contains 15 bytes. As the first step of the 
encryption process, each 15-byte plain-block is expanded to a 16-byte one by adding a secretly selected 
byte. Then, the expanded block is encrypted with the following four different operations: byte swapping 
(permutation), value masking, horizontal and vertical bit rotations, which are all controlled by a secret 
PRBS. 

Denote the plaintext by / = {f{i))fs^, where f{i) denotes the i-th plain-byte. Without loss of 
generality, assume that N can be exactly divided by 15. Then, the plaintext has blocks: / = 

(/(^^)(A;))fZj)^"\ where /(^^^(fc) = (/^^^H^. j))]io = (/(ISA; + j))]io- Similarly, denote the ciphertext 
by /' = U'{i))W^-''~' = if'^''Hk))^lo-\ where f^^^Hk) = {f(''Hk,j))]i, = {f {16k + 
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denotes the expanded cipher-block. With the above notations, MCS can be described as follows. 

• The secret key includes five integers ai, ao, /3i, 132, Secret, and a binary fraction x(0), where 1 < 
ai<ai+f3i<7,l<a2<a2 + (32<m Secret G {0, . . . , 255} and x(0) = ' 
x(0), G {0, 1}. 

• A PRBG (pseudorandom bit generator) 

A pseudorandom number sequence {x{i))^I^^~^ is generated by iterating the following equation 
from x(0): 

x{i + 1) = ((419/2^) • {x{i) e H{x{i))) mod 2^*) mod 2"^^, (1) 

^64 /-N ni f\ ^ rn n tt/ v^64 



Where rE(i) = E'l-64^(^)i ' 2^ € {0,1}, H{x{i)) = Ejl-m (©fc=-64 j ' and 

denotes bitwise XOR. Then, the controlling PRBG (fe(^))|=o^^^^ ^ is derived from {x{i))^J^Q^ ^ by 
extracting the 129 bits from each x{i). The above PRBG is a special case of the second class of 
chaos-based PRBG proposed in [35], with the parameters p = 419, m = 8, M = k = 64. 

• The initialization process 

1) run the above PRBG to generate the controlling PRBS {b{i))^'^^^^^ ^; 2) set temp = Secret. 

• The encryption procedure 

For each plain-block f^^^\k), do the following operations consecutively: 

- Step a) Data expansion 

Add temp to the 15-byte plain-block to get an expanded 16-byte block 

f^ik) = {f^''Hk,j))]to = (/(15)(A;,0),... U),temp), 

and then set temp = f^^^\k, l{k)), where l{k) = Y,l=o ^(129A; + i) ■ 2\ 

- Step b) Byte swapping 

Define a pseudorandom byte swapping operation, Swapi,(^i2Qk+i) {f^^^\^i''')if^^^\k,j)), which 
swaps f^^^\k,i) and f^^^\k,j) when 6(129A; + /) = 1. Then, perform the byte swapping oper- 
ation for the following 32 values of (i, j, /) one after another: (0,8,4), (1,9,5), (2,10,6), (3,11,7), 
(4,12,8), (5,13,9), (6,14,10), (7,15,11), (0,4,12), (1,5,13), (2,6,14), (3,7,15), (8,12,16), (9,13,17), 
(10,14,18), (11,15,19), (0,2,20), (1,3,21), (4,6,22), (5,7,23), (8,10,24), (9,11,25), (12,14,26), 
(13,15,27), (0,1,28), (2,3,29), (4,5,30), (6,7,31), (8,9,32), (10,11,33), (12,13,34), (14,15,35). 
Denote the permuted 16-byte block by f*^^^\k). 

'in [28] Yen et al. didn't exclude the possibility of Qi = and fit = 0, but to achieve the effect of encryption they should 
not be equal to 0. 
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- Step c) Value masking 

Determine two pseudo-random variables, Seedl{k) = Y^I^q (®'t=o ^(129A; + 4i + t)j • 2* and 
Seed2{k) = J^fLw (©Lo ^(129A; + 4i + t)) • 2*"^^, and then do the following masking oper- 



ation for j = ~ 7: 

r^ik), = f<'^\k), e Seed{k,j), (2) 

where f*'^^^\k)j and f**'^^^\k)j are composed of the j-th bits of the 16 elements of f*^^^\k) 
and f**^^^\k), respectively, 

f 

Seedl{k), B{k,j)=3, 



Seed{k,j) 



Seedl{k), B{k,j)=2, 
Seed2{k), B{k,j) = l, 



Seed2{k), B{k,j)=0, 

and B{k,j) = 2 • 6(129/c + 36 + 2j) + 6(129A; + 37 + 2j). 
- Step d) Horizontal bit rotation 

Construct an 8 x 8 matrix Mi by assigning Mi{i,j) as the j-th bit of f**(^^\k,i). Then, 
perform the following horizontal bit rotation operations for i = 0, . . . , 7 to get a new matrix 
Mi: 

Mi(z, :) = RotateXP'-" "'^' '-' (Mi(i, :)) , 

which shifts Mi(i, :) (the i-th row of Mi) by ri ^ j elements (bits) to the left when pi^k,i = 1 
and to the right when pi^k,i = 0. The values of the two parameters are as follows: pi^k,i = 
6(129A; + 65 + 2i), ri ^ j = ai + /3i • 6(129A; + 66 + 2i). Equivalently, the above process can be 
rewritten in the following way: 

Mi(i,:) = RotateX^'^''''-^{Mi{i,:)), 

where 

ai + /3i • h(Vmk + 66 + 2i), px^k.i = 6(129A: + 65 + 2i) = 0, 

8 - (ai + /3i • 6(129A; + 66 + 2i)), px^k.i = 6(129A; + 65 + 2i) = 1. 
In the following, we will use the latter form to simplify our further discussion. 
In a similar way, construct another 8x8 matrix M2 by assigning M2(i,j) as the j-th bit of 
f**^^^\k, 8 + i). Then, perform similar horizontal bit rotation operations on M2 to get a new 



ri,k,i 
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matrix M2: 



M2(i,:) = RotateX''^''''''{M2{i,:)) 



where 



r2,k,i 



ai+Pi- 6(129fc + 98 + 2i), p2,fc,i = b{129k + 97 + 2i) = 0, 

8 - (ai + /3i • 6(129/c + 98 + 2i)), p2,fc,i = 6(129A; + 97 + 2i) = 1. 
After the above horizontal bit rotation operations, represent the i-th byte in the 16-byte block 
as follows 

ELoMi(i,i)-2^ 0<i<7, 



ELoM2(i-8,j)-2^ 8<i<15. 



- Step e) Vertical bit rotation 

For j = 0, . . . , 7, do the following vertical bit rotation operations on Mi to get Mi 

Mi(:, j) = i?otatey°'^^'=-(Mi(:, j)), 

which shifts Mi(:, j) (the j-th column of Mi) by si ^ ,,- elements (bits) downwards. The value 
of the parameter is as follows: 

ai + Pi- b{129k + 82 + 2j), qi^kj = b{129k + 81 + 2j) = 0, 

8 - (ai + /3i • 6(129A; + 82 + 2j)), qi^^j = h{l29k + 81 + 2j) = 1. 

Similar vertical bit rotations are performed on M2 to get M2 as follows: 

M2(:,i) =i?otatey°'^^''=-(M2(:,j)), 

where 

ai + /3i • 6(129fc + 114 + 2j), g2,fc,i = h{\29k + 113 + 2j) = 0, 

8 - (ai + /3i • 6(129A; + 114 + 2^)), gs.fcj = h{\29k + 113 + 2^) = 1. 



Finally, the cipher-block f"^'^^\k) = (/'(^^H't, 0)iio derived from Mi and M2 as follows: 



Ej=oMi(^,j) -2^ 0<i<7, 
ELoM2(^-8,j) -2^ 8<i<15. 



The decryption procedure is simply the inverse of the above encryption procedure. 
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III. Cryptanalysis 

First of all, we point out that the subkey Secret has no influence on the decryption process. It is 
because Secret is only used to determine the expanded byte, and never used to change the value of any 
other byte in the plaintext. In fact, if we use a different value of Secret for the decryption process, the 
plaintext can still be correctly recovered. Furthermore, the probability that Secret becomes the expanded 
byte of f^^^\k) is (15/16)'^, which decreases very exponentially. This means that Secret has no influence 
on the encryption process after k become sufficiently large. As a whole. Secret should be excluded from 
the key. In the rest of this paper, we will not consider Secret as a subkey. 

A. Some properties of MCS 

Define the XOR-differential ("differential" in short hereinafter) of two plaintexts /o and fi as /o©i = 
/o ffi /i ■ When /o and /i are encrypted with the same secret key, it is easy to prove the following three 
properties of MES, which will be the basis of the proposed attack. 

Property 1: The random masking in Step c) cannot change the differential value, i.e., V k, j, /q^i^^ {k, j) 

i.*(l6)/T •% 

Proof: It is a straightforward result of the following property of XOR: (a ® x) © (6 © x) = a © 6. 

■ 

Property 2: Each expanded plain-block /q^^i (A;) is independent of the sub-key Secret. 

Proof: This can be proved with mathematical induction on k. When k = and < j < 15, i.e., 
for the j-th byte of the first 16-byte block, 

,(i6),n |/oS(0'^')' 0<j<14, 
/offii(O'j) = S 

I Secret © Secret = 0, j = 15, 

which is obviously independent of the value of Secret. Now assume the property holds for the first k — l 

blocks. Then, for the k-th 16-byte block, 

A'ikkj), o<i<i4, 

J^'^l{k-l,lik-l)), j = 15, 
which is also independent from Secret according to the assumption. Thus, this property is proved. ■ 
Property 3: The byte swapping in Step b) cannot change each differential value, but its position in 
the 16-byte block. 

Property 4: Both the horizontal bit rotation in Step d) and the vertical bit rotation in Step e) cannot 
change each differential bit itself, but its position in the binary presentation of the 8-byte block. 
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The proofs of the above two properties are straightforward, so we omit them here. 



B. The differential attack 

Based on the above properties of MCS, the data expansion in Step a), the first eight byte swapping 
operations in Step b), the vertical bit rotation in Step e), the horizontal bit rotation in Step d), the other 
unkown byte swapping operations in Step b) and the value masking in Step c) can be broken in order 
with a number of chosen plaintext differentials. 

1 ) Breaking the secret data expansion in Step a ): To facilitate the following discussion, let us denote 
the Hamming weight of a byte or a block x, i.e., the number of 1-bits in x, by From Property 
2, one can see that there are 8 • 15 = 120 binary bits of fQ(^i\k) come from fQ^-l{k) and other 
eight bits come from /q^i (A: — 1, l{k — I)) for k > 1 (the eight expanded bits are all 0-bits when 
k = 0). Since all the other steps do not change the Hamming weight of each 16-byte block, we 
can get 



/(Jf)(/c-l,/(A;-l)) 



/oei''(^) 



/offil (^) 



fl,l'l{k-l,l{k-l)) 



In case — L, — L)) is unique 

in the last 15-byte block /q^i (A; — 1), we can uniquely determine the value of l{k — 1). Considering 

•/oei v"- 



1, l{k - 1)) G {0, . . . , 8} but l{k - 1) € {0, ... , 15}, at least two plain-bytes in each 15-byte 
block have the same Hamming weight. So, the value of l{k — 1) may not be uniquely determined some- 
times. To make the unique determination of l{k — 1) possible, we can choose two plaintext differentials 
/o©i and /o©2 differentials of three chosen plaintexts /o, /i and /2) to fulfill the following two 



requirements: 1) VA;,ji ^ j2, 



ffil{k,j2) , fm2(.k,j2) 



.(15), 



; 2) \/k,j, 



/offil (^'j) ' /offi2 (^'i) j 7^ (0) 0)- For example, the two plaintext differentials can be chosen to have 
the following Hamming weights: 

9x9—1=80 elements 

N-l 



(i/o®i(i)i)r=r 

(l/oe2(i)|)il7' 



(0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,, 
(1,2,3,4,5,6,7,8,0,1,2,3,4,5,6,7,8,, 



, W, KJ^ W, KJ^ 



^,8,8,, 
,0,1,2,3,4,5,6,7,8,. 



With the above chosen plaintexts, it is obvious that the value of /( 
except when 



-1) can always be uniquely determined, 



(|4?(A; - 1, 15)| , |/(g(fc - 1, 15)|) G U [\fl,f,{k - 



j=0 



f(15). 



(4) 



We can calculate the occurrence probability of the above equation is less than y| • ( L^'^/^^J ^ ~ 
1.4305 X 10~^. For a 512 x 512 image, this means that we will not be able to uniquely determine the 
value of l{k - 1) for less than 1.4305 x 10"^ x 512 x 512/16 « 0.2344 blocks in an average sense. In 
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Other words, the value of l{k — 1) can be uniquely determined for almost all blocks. Note that breaking 
l{k — 1) implies breaking 4 controlling bits (6(129(A; — 1) + 0))?=o- 

2) Breaking the first eight byte -swapping operations in Step b): From Properties 3, 4, one can see 
that all the 8 • 16 = 128 bits of each 16-byte expanded plain-block fo^l{k) are the same as the ones 
of the corresponding 16-byte cipher-block fQQi\k), except that their locations may change. Observing 
how the bit locations are changed in the whole encryption process, we can see the following eight 
byte-swapping operations are the only encryption operations moving bits from one 8-byte half-block to 
another: Swaph(^i2gk+i+4){f^^^\k,i),f^^^\k,i + 8)), when i = 0,1,2,3,4,5,6,7. Apparently, when the 
controlling bit is 1, each byte-swapping operation swaps the locations of one byte in the first half-block 
and the other byte in another half-block. This fact means that, by choosing the differences between the 
Hamming weights of the eight bytes in the two half-blocks properly, we will be able to derive the values of 
the controlling bits (6(129fc+z+4))J^Q. The simplest tactic is to choose fQ^}{k) such that each half-block 
has only one byte with a different Hamming weight from the corresponding byte in the other half-block. 
If we assume all the values of (/(^))^o^ ^ have been recovered, which happens with high probability 
as we shown in the previous subsection, the first 15 bytes in /g^^i (A:) can be freely chosen by choosing 
/d©i (^)- "^^^ l^^*- ^y*-^ each 16-byte block /g^^i (fc, 15) may not be chosen, if it is equal to Secret. 
Fortunately, this has no influence on the process of breaking the first eight byte-swapping operations, 
because what is chosen for the last byte is \f^^^\k, 15) | — |/(^^)(A;, 7)|. Although we may not be able 
to choose /o^^i (fc, 15), we can always choose /q^i (fc, 7) to have a different Hamming weight from that 
of fo^lik, 7). One chosen-block /o0^i (^) will be able to derive the value of one controlling bit, which 
controls the possible swapping of the two bytes (in two half-blocks, respectively) with different Hamming 
weights. We need eight chosen plain-blocks (thus eight chosen plaintext differentials) to determine the 
values of all the eight controlling bits. 

While eight chosen plaintext differentials are enough to recover all the bits controlling the first eight 
byte-swapping operations, we actually need only two chosen plaintext differentials to achieve this goal. 
To see how it is possible, denote the difference between the Hamming weights of the two half-blocks of 
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the k-th cipher-block by A 



i=0 



Then, we have the following equation: 



A 



i=0 



7 



i=0 
7 

i=0 



i=0 



7 

i=0 
7 

i=0 



i=0 



Me), 



where 



b^{k, i) = l- 26(129/c + i + 4) = 



By choosing the values of 



•/'dffii(^'^) /o©i(^>^ + 8) 
nonzero number can not be represented as a linear combination of other numbers in the set, the controlling 

bits corresponding to the nonzero numbers can be determined uniquely. For instance, to determine the 

values of b^{k,0), . . . ,b^{k,3), we can choose a plaintext differential such that 



f(16). 



1, 6(129A; + i + 4) = 0, 
-1, b{129k + i + 4) = 1. 

7 



i=0 



to be a set of numbers such that every 



/del ^) 



±4, ±5, ±6, ±8 for i = 0, 1, 2, 3, respectively; 
for i = 4, 5, 6, 7. 



The above chosen plaintext differential leads to the following result: 

7 



A 



(/oei''(^) 



j=0 



G {±23, ±15, ±13, ±11, ±7, ±5, ±3, ±1}. 



The 16 possible values of A 



Choosing another plaintext differential such that 



/o®i'*(^) 



i=0 



correspond to the 16 possible values of (6(129/c±4±z)) 



i=o- 



/del ^) 
/del ^) 



/dei(fc,^ + 8) 



for i = 0,1,2,3; 

±4, ±5, ±6, ±8 for i = 4, 5, 6, 7, respectively, 



we will be able to uniquely determine the other four controlling bits (6(129A; ± 4 ± «))J=4. As a whole, 
with only two chosen plaintext differentials, we can uniquely determine all the eight controlling bits 

(5(129A;±4±i))J^o. 

3 ) Breaking the other part of MCS: For the A;-th block, denote the intermediate result of the first 
eight byte-swapping operations by fQQi\k). Knowing 6(129A; ± 4) 6(129A; + 11) allows us to choose 
fQ^i\k) by manipulating /d^i (^)- The other encryption operations to be further broken include the 9th 
to 35th byte-swapping operations, the value masking, and the horizontal/vertical bit rotations. 
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Different from the first 8 byte-swapping operations, the 9th to 35th ones in Step b) only shuffle the 
locations of the eight bytes inside each half-block. We found these byte-swapping operations cannot be 
uniquely determined, because some equivalent but different encryption operations exist. Roughly speaking, 
if we add an overall circularly byte shift operation to Step b) and all the other steps afterwards, we will get 
an encryption scheme equivalent to but different from the real one. Therefore, in this sub-subsection we 
turn to find such an equivalent encryption scheme. To facilitate our discussion, in the following, we use 
the acronym "EES" to denote the equivalent encryption scheme that has the same encryption performance 
as all the four kinds of encryption operations to be further broken. The EES is also composed of four 
parts, which correspond to the four different kinds of encryption operations, respectively. Once again, 
we use a divide-and-conquer tactic to get all the four pars of an EES. 

a ) Obtaining the vertical bit-rotation part of the EES: To get the vertical bit-rotation part, we need 
to cancel the horizontal bit-rotation part and the byte-swapping part. The horizontal bit rotations can be 
done by choosing all bytes in fQQi\k) to be either or 255, i.e., all the bits in Mi and M2 are identical 
(either or 1). The byte-swapping operations cannot be fully canceled. To minimize its interference with 
the vertical bit-rotation part, we can choose each half-block such that there is only one or one 255. 
Without loss of generality, we choose one plaintext differential such that both half -blocks of each 16-byte 
block fol^i\k) contains only one 255-byte but seven 0-bytes, i.e.. 



After the byte-swapping operations, assume f^^-^ {k, I) is moved to fQ^^ {k, s'i,fc,/) and /q^j^ '{k,S + I) 
to /q^\^^(A;,8 + S2,fc,0' where si,^,;, S2,fc,« G {0, ...,7}. Since the horizontal bit rotations are can- 
celed, by comparing (/o®f "* (fc, «))J=o and {foQi\k,i))J^Q, we can observe that RotateY^''^^ '' :''^^^ '' ' 
is performed for the j-th bit of /q^\^^(A;, 0). Similarly, for the second half-block, we can observe that 
RotateY°'''-''-^+'^ '' ' is performed for the j-th bit of /o£^^(fe,8). 

b) Obtaining the horizontal bit-rotation part of the EES: Now, we need to cancel the byte-swapping 
operations and the vertical bit rotations. The byte-swapping operations can be canceled by choosing a 
second plaintext differential such that all the bytes in each half-block are identical. To distinguish the 
horizontal bit shifts, we should choose the byte x G {0, . . . , 255} to satisfy the following property: ai ^ 02 
(mod 8) (x ^ ai) / (x ^ 02), or equivalently, ai = 02 (mod 8) <^4> (x ^ ai) = (x ^ 02). 
The simplest choice of x is 2\ where i G {0, ...,7}. When f^^^\k,15) = temp, either f*^^^\k,7) 
or f^^^\k, 15) will always be 0, so it will not be possible to obtain the horizontal bit-rotation part 
for this byte. Fortunately, this does not influence the decryption process, because the expanded byte 
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is actually redundant and will be finally discarded. The vertical bit rotations cannot be canceled, since 
they are performed after the horizontal bit rotations. Since we have obtained the vertical bit-rotation 
part of the EES, we can apply it to {fQ^i\k,i))J^Q to get {fQ^^\k,i + si,fc,/))J=0' where + denotes 
addition modulus 8. Then, compare (/o^f^Cfc, i + si,fc,i))J=o with (/o^f ""(A;, i))J^Q, one can observe that 
i?otateX'^'''^ '° ''+°i.'=.'' is performed for /q^\^^(/c, i). Similarly, we can observe i2otateX''''"^''''<'+^2.'=.'' is 
performed for /o^\^^ {k,8 + 

c) Obtaining the byte-swapping part of the EES: After obtaining the horizontal/vertical bit-rotation 
parts of the EES, we can apply the inverse horizontal/vertical bit rotations to {f'(j^i\k, j))^^Q to get 
(/oef ^ ^lAi + ^))i=o and (/oef ^ (k, 8 + (s2,fc,/ + i)))i=o- If we choose /o^\^^ (k) such that all the eight 
bytes of each half-block are different from each other, we will be able to obtain the following byte- 

*f 16) 

swapping part of the EES. For the first half-block, the real byte-swapping operation moves f^^^ [k, i) 
to /o^\^^(/f:, s^i,fc,i)> the one we obtained for the EES will move it to fQ^i\k,'si^k,i—'si,k,i)^ where — 
denotes subtraction modulus 8. Similarly, for the second half-block, the real byte-swapping operation 
moves /qqj^ (k, 8+i) to f^^^ {k,8 + S2,k,i), the one we obtained for the EES will move it to /g^i {k, 8+ 

{S2,k,i — S2,k,l))- 

d) Obtaining the value-masking part of the EES: After obtaining the byte-swapping part of the 
EES, we can get {f*'^^^\k,i + si^k,i)}i=o {f*'^-^^\k,8 + {i + si^k,i))}i=o ^oni any known plaintext. 
In addition, after obtaining both the horizontal and vertical bit-rotation parts, we can get {f**^^^\k,i + 
'si,k,i)}J=o and {/**(^^) (A;, 8 + (i + si,fc,/))}J=o from any known ciphertext. We do not need to choose 
more plaintexts, but can simply reuse any chosen plaintext used in previous steps. Note that the value 
masking performed in Step c) can be rewritten as the equivalent form: for i = 0, . . . , 15, 

f*<^^\k,i) = f<^^\k,i)mSeed*{k,i), (5) 

where Seed*{k,i) = Yl^j^QSeed{k, j)i ■ 2^ and Seed{k,j)i is the i-th bit of Seed{k,j). Then, by 
XORing {f<'^Hk,i + Ji,k,i)}J=o and {r^'^^KKi + si,k,i)}J=0' we can get {Seed*{k,i + Ji,k,i))J=o- 
Similarly, by XORing {f*(^^){k,8 + {i + si,k,i))}J=o and {f**(^e) {k,8 + (i + ?i,fc,/))}Lo' we can get 

{Seed*{k,8 + ii + si,k,i)))J=o- 

Observing the above four results, we can see all the fours parts of the ESS are related to the unknown 

parameters si ^ ^ and 's2,k,i- If we choose different value of / in Sec. lIII-B.3.a[ we may have different ESS. 

All the possible EESs are equivalent to each other (and to the real encryption scheme), so we can use 

any of them to decrypt any ciphertext encrypted with the same key, as long as the size of the ciphertext 

is not larger than N. In the next subsection, we will show the values of 'si^k,i and S2,fc,« can be uniquely 
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determined if the sub-keys ai, a^, Pi and P2 satisfy some requirements. 

4) Performance of the differential attack: To sum up, the differential attack outputs the following items 
as an equivalent key: 

• for data expansion: {l{k — l))i<fc<Af/i5-i, which is equivalent to (6(129(/c — 1) + z)) i<fc<jv/i5-i ; 

— — 0<i<3 

• for the first eight byte-swapping operations: (6(129A; + i))o<k<N/i&-i ; 

4<i<ll 

• for the 9th to 35th byte-swapping operations: < /oi\^'' {k, i) fomi* {k, ^i,k,i—^i,k,i) \ and 



0<i<7 



fmi^ik, 8 + i) ^ foei^ik, 8 + {s2,k,i-S2,k,i)) 



0<fc<N"/15-l 
0<i<7 



for the value masking: {Seed*{k, {i + si^fc^/))) o<fc<iv/i5-i and (Seed* {k, 8 + (i + si,fc,/)))o 



<fc<Af/15-l , 



0<i<7 



• for the horizontal bit rotations: (i?otateX°'''' '='''+=i and ( iJoiateX^'"'" '"■<'+''2,fc,!) ) ; 

V / 0<k<N/15-l \ J 0<k<N/15-l ' 

. for the vertical bit rotations: {RotateY^''^^'''-^+-''-'''') o<k<N/i5-i and {RotateY^''^^-'' :i+^^-'''') o<k<N/i5-i . 

o<j<r o<j<7 

All the above items form an encryption system equivalent to MCS and can be used to decrypt any 
ciphertexts encrypted with the same secret key. The (equivalent) encryption operations performed on 
some expanded bytes f^^^\k, 15) may not be recovered, but which does not influence the effectiveness 
of the differential attack, since those expanded bytes will finally be discarded. 

The total number of chosen plaintexts is the sum of the following: a) two differentials for breaking 
the data expansion; b) two differentials for breaking the first eight byte-swapping operations; c) four 
differentials for obtaining the EES. Note that the plaintext differential needed in Sec. |III-B.3.c| can be 
replaced by the two differentials in Sec. IIII-B.ll So, we only need two more differentials for obtaining the 
EES. As a whole, the differential attack requires 2 + 2 + 2 = 6 plaintext differentials, or seven plaintexts, 
to break MCS. 

The complexity of the differential attack is also very small, since we do not have any exhaustive search 
process in all the steps described above. With 6 chosen plaintext differentials, the computational complex- 
ity of the attack is just 0{6N) = 0{N), which is the same as that of the normal encryption/decryption 
process of MCS. 

C. Breaking some sub-keys and more controlling bits 

The differential attack described in the previous subsection outputs an equivalent key, which include 
some controlling bits {b{l29k + i))}}^^, but does not include any part of the secret key. In this subsection, 
we show we may further derive more controlling bits and the following four sub-keys: ai, 02 and 
^2- Although we have not found a way to break the underlying pseudorandom bit generator (PRBG) 
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and then break the subkey x(0), breaking more controlUng bits makes it easier to analyze more potential 
weaknesses of the PRBG and opens the door to a successful cryptanalysis in future. 

We first try to break the two sets Mi = {ai, 8 — ai, ai 8 — (ai and M2 = {(^2, 8 — 02,02 + 

P2,8 — (02 + /32)}- Then, we may be able to further determine sub-keys ai, /3i, 02, /92> 'si,k,i, S2,k,i, and 
more controlling bits. 

1) Breaking Mi and M2.' In the differential attack, what we have obtained for the horizontal bit 
rotations are fiiotateX°'^''''-<-+^i.'=.''') and ( RotateX'- 

0<j<7 

how ri^k,i and ri^k,i are determined, it is obvious that Mi^^ = {^i ^ ^ ^-^ 
{r2,k,(i+s2.kA)}i=o ^ ^^2- Assuming the secret bits controlling {ri^k,i)i=o (^2,fc 
formly over {0, 1}, from Proposition [T] we can get 



2,fc,(i+s2,k,i) According to 

0<j<7 

}[=o ^ ^1 and 



i)i=Q distribute uni- 



Prob 



and 



V 



Prob 



0<fc<iV/15-l 
0<i<7 



\ 



+ U 

0<fc<iV/15-l 
0<i<7 



fc,(i+S2,fc,!) ' ' 



''2,fc,(«+S2,fc,l) 



Since 8A^/15 — 1 is generally very large, the above two probability is extremely small, which means that 
Ml and M2 can be uniquely determined with very high probability. 

Proposition 1: Assume 1<;3<7, l<a<a + /5<7andM = {a,8-a,a + /3,8-(a + If 
for i = 1, . . . , n, random variable G Z satisfies Prob(rj € {a, 8 — a}) = p, then 



Prob (mt^ |J{ri,8-rJ 



0, 2a + /? = 8, 

1, 2Q + /3 / 8 and n = 1, 

+ (1 - p)", 2a + /? / 8 and n > 2. 
Proof: When 2a + /? = 8, we can get a = 8 — (a + /3) and 8 — a = a + (5, which leads to 

M = {a, 8 — a} = {a + /?, 8 — (a + /?)}. Hence, we can immediately get {rj, 8 — ri} = M and then 

\Ji=i{fi,8 - rj} = M. This means that Prob (M / UILii^i' 8 - rj) = 0. 

When 2a+/3 7^ 8, we have a 7^ 8-(a+/?) and 8-a / a+/?. Since a / a+8 and 8-a / 8-(a+/3), 
there are only the following (2) — 4 = 2 pairs of elements that may be equal to each other to make 
#(M) < 4, where denotes the cardinality of a set: 

. a = 8 - a: a = 4 ^ 1 < /3 < 3 and M = {4, 4, 4 + /3, 4 - /?} ^ #(M) = 3; 

, a + /3 = 8 - (a + /?): a + /3 = 4 ^ 1 < a < 3 and M = {a, 8 - a, 4, 4} ^ #(M) = 3. 
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In case no any two elements in M are equal to each other, it is obvious that = 4. As a whole, we 

have > 3. Then, when n = 1, the proposition is obviously true since 7^({rj, 8 — r.j}) < 3 < 

When n > 2, we can see there are only two ways to make M ^ Ur=i{''*' ^ ~ '^«}- 

• Ur=i{'^«i 8 — = {a, 8 — a}, which occurs with probabiUty -p^; 

• Ur=i{'^«' 8 — rj} = {a + /3, 8 — (a + which occurs with probability (1 — p)". 
As a whole, we have Prob(M / ULiI^*' 8 - rj) = + (1 - p)". 

Combining the above three different cases, the proposition is thus proved. ■ 

2) Determining sub-keys ai, f3i, 02 and (32- After getting Mi and R2, the four sub-keys ai, /3i, 02 and 
P2 may be uniquely determined. Following a similar process of the proof of Proposition (TJ we consider 
the following three cases for m = 1, 2: 

• #(Rm) = 2: This case happens only when 2am + Pm = 8. There are three possible sets = 
{1, 7}, {2, 6}, {3, 5}, which corresponds to (om, /3m) = (1, 6), (2, 4), (3, 2), respectively. Apparently, 
knowing allows us to uniquely determine the values of am and f3m- 

• #(Mm) = 3: This case happens when am = 8 — am = 4 or Um + = 8 — {am + Pm) = 4. There 
are only three possible sets Mm, each of which corresponds to two possible values of {am,Pm)' 

- Mm = {4, 1, 7}: (am, M = (4, 3) or (1,3); 

- Mm = {4,2,6}: {am,M = (4,2) or (2,2); 

- Mm = {4, 3, 5}: (am, M = (4, 1) or (3,1). 

It can be seen that am and (3m cannot be uniquely determined in this case. 

• #(Mm) = 4: This case includes three possible sets Mm, each of which corresponds to four different 
values of (a^,^™): 

- Mm = {1,2,6,7}: (am, /3m) = (1,1), (1,5), (2,5) or (6,1); 

- Mm = {1, 3, 5, 7}: (am, /3m) = (1, 2), (1,4), (3,4) or (5,2); 

- Mm = {2, 3, 5, 6}: (am, /3m) = (2, 1), (2,3), (3,3) or (5,1). 

3) Determining 'si^k,i and 's2,k,i' In the differential attack, what we have obtained for the vertical bit 
rotations are (i?oiatey°'*i '=-^+^i '= ') o<fc<jv/i5-i and ( RotateY°''^^-''-^+^^ '' ') o<k<N/i5-i . According to how 

0<j<7 0<j<7 

si^kj and S2,fcj are determined in the encryption process, we can get §1 ^ = {si,a:j -i- si^a:^/}J^o ^ §1 = 
{tti + 8 - ai + si^k,i,ai + /3i + si^k,i, 8 - (ai + /3i) + si,fc,;} and §2,^ = {s2,k,j + S2,k,i}'j=o ^ 
§2 = {"2 + S2,k,i, 8 - a2 + S2,k,i, 02 + /32 + S2,k,u 8 - (a2 + /32) + S2,k,i}- Comparing Si, §2 with Mi, 
M2, we may be able to determine the values of si^^^/ and S2,fc,«- There are four different cases: 

• Sm,fc C Sm^ If Sm,fc does not contain all elements in Sm, it is generally impossible to uniquely 
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determine Jrn,k,i- From Proposition [T] the occurrence probability of this case is 2/2^ = 1/2''. 

• Sm,fc = Sm and Mm = {2, 6}: When 'sm,k,i S {Ij 2, 3, 5, 6, 7}, its value can be uniquely determined. 
When 'srn,k,i = or 4, it is impossible to distinguish one value from the other. 

. Sm,k = Sm and M„, = {1,7}, {3, 5}, {4, 1,7}, {4, 2, 6}, {4, 3, 5}, {1,2, 6, 7} or {2,3,5,6}: The 
value of 'sm,k,i can always be uniquely determine. 

• Sm,fc = Sm and = {l, 3, 5, 7}: The value of 'sm,k,i can never be uniquely determined. One can 
only determine which of the following two sets ^m,k,i belongs to: {0,2,4,6} and {1,3,5,7}. 

Assuming the value of Jm,k,i distributes uniformly over {0, . . . , 7}, the probability that each s^.fc,/ cannot 
be uniquely determined is 1/2'^ + (1 - l/2'^)((l/21)(2/8) + 4/21) w 0.2086. We may choose more 
different values of / in Sec. IIII-B.3.al to decrease this probability, but the probability has a lower bound 
1/2^ + (1 — l/2^)(4/21) 0.1968. We can see this probability is always not sufficiently small, so we 
will not be able to uniquely determine the value of or that of 's2,k,i for quite a lot of blocks. 

4) Determining the secret bits controlling the 9th to 35th byte-swapping operations: In case si,a:,z and 
's2,k,i can be uniquely determined, we will be able to uniquely recover the 9th to 35th byte-swapping 
operations, i.e., we can determine the values of (si^k,i)i=o ^""^^ (s2,fc,i)J=o- ^ote {'si^k,i)J=o and {'s2,k,i)J=o 
actually define two permutation maps over {0, . . . , 7}. Observing the 9th to 35th byte-swapping operations 
in Step b), one can notice that the permutation maps has a strong pattern: 12 byte-swapping operations for 
the first half-block and the other 12 ones for the second half-block, and each group of 12 byte-swapping 
operations can be divided into three phases. For the 12 byte-swapping operations performed on the first 
half-block, the three phases are as follows: 

. Phase I: = (0, 4, 12), (1, 5, 13), (2, 6, 14), (3, 5, 15); 

. Phase 2: = (0, 2, 20), (1, 3, 21), (4, 6, 22), (5, 7, 23); 

. Phase 3: (i, j, /) = (0, 1, 28), (2, 3, 29), (4, 5, 30), (6, 7, 31). 
Apparently, Phase 1 swaps the bytes in the two 4-byte quarter-block of the first 8-byte half-block, and 
Phases 2 and 3 only permute the bytes with each 4-byte quarter-block. Then, for i = 0,1,2,3, we 
can check in which quarter-block f^*^^){k,i) belongs to after the byte-swapping operations. In other 
words, we check if si^fc^j € {0, 1, 2, 3} or {4, 5, 6, 7}, which corresponds to 6(129A; + 12 + i) = and 
1, respectively. This allows us to completely determine (6(129fc + 12 + i))f=0' i-^-' break Phase 1. 
Then, we can derive a new permutation map represented by (7* ^ j)J=0' which consists of only Phases 2 
and 3. Then, according to the byte swapping operations involved in Phases 2 and 3, we can derive the 
following rule to break the 4 controlling bits involved in Phase 2: 
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when i = 0,l: b{129k + 20 + z) 



when i = 2, 3: b{129k + 20 + i) 



0, 
1, 
0, 

1, 



G {0,1}, 
e{2,3}; 
G{4,5}, 
G{6,7}. 



After breaking both Phases 1 and 2, we can immediately break the 4 controUing bits (6(129/c + 28 + i))^^Q 
involved in Phase 3. Now, we completely break all the 12 controlling bits involved in the byte-swapping 
operations performed on the first half-block. The same process can be applied to the second half-block, 
and 12 controlling bits can be uniquely determined. As a whole, we will be able to break all the 24 
controlling bits {b{129k + i))'fti2- 

5) Determining the secret bits controlling value masking: In case si ^ ^ and S2,fc,z can be uniquely 
determined as described in Sec. IIII-C31 we will be able to determine {Seed* {k, j))^^Q, or equivalently, 



{Seed{k,j))°^Q. This allows us to obtain {Seed{k, C {Seedl{k), Seedl{k), Seed2{k), Seed2{k)]. 

To break the controlling bits, we need to recover Seedl{k) and Seed2{k), which are calculated from 
(6(129A; + i))f£o and (6(129A; + 64 + i))go, respectively. Note that we can always break (6(129A; + i))go 
if 'si^k.i and 's2,k,i are uniquely determined. This means that we can break the 36/4 = 9 least significant 
bits (LSBs) of Seedl{k), since each bit of Seedl{k) is determined by four controlling bits. Then, if the 



nine LSBs of Seedl{k) are not all equal to those of Seed2{k) or those of Seed2{k), we can uniquely 



determine Seedl{k) and then Seedl{k). Assuming Seedl{k) and Seed2{k) are independent of each 
other and each bit distributes uniformly over {0, 1}, the probability that Seedl{k) cannot be uniquely 
determined is 2/2^ = 1/2^. In case Seedl{k) is uniquely determined, we have the following results: 



when Seed{k,j) G {Seedl{k), Seedl{k)}: 
b{129k + 36 + 2j) = 1; b{129k + 37 + 2j) 



0, Seed{k,j) = Seedl{k), 

1, Seed{k,j) = Seedl{k); 



when Seed{k,j) G {Seed2{k), Seed2{k)}: 
b{129k + 36 + 2j) = 1; b{129k + 37 + 2j) 



0, Seed{k,j) = Seed2{k), 

1, Seed{k,j) = Seed2{k). 



Note that in this case, Seed2{k) has to be guessed from the set {Seed2{k), Seed2{k)}. 
6) Determining the secret bits controlling horizontal/vertical bit rotations: In case si^k,i and ^2,k,i can 
be uniquely determined as described in Sec. IIII-C.3I we will be able to uniquely determine the horizontal 
and vertical bit rotations exerted on Mi, Mi, M2 and M2. Depending on how well the values of 
ai, /?i, 02, /92 are determined in Sec. IIII-C.2I some information about the controlling bits involved in 
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ri,k,: 



the bit rotations may be obtained, although it is always impossible to uniquely determine the value of 
any controlling bit involved. Since the determination process of the controlling bits are similar for Mi, 
Ml, M2 and M2, here we consider only the case of Mi (i.e., horizontal bit rotations exerted on the 
first half-block) to simplify the discussion. For this case, we get (^i ^ j)J^Q by substituting ri ^ ^ into 
(fi,k,(i+ri k i))J=o- '^'^^P is determined by two controlling bits as follows: 

ai, {b{129k + 65 + 2i), b{l29k + 66 + 2i)) = (0, 0), 

ai+Pi, {b{129k + 65 + 2i), 6(129A; + 66 + 2i)) = (0, 1), 

8 - ai, (6(129A; + 65 + 2i), 6(129A; + 66 + 2i)) = (1, 0), 

8 - (ai + /3i), (6(129A; + 65 + 2i), 6(129A; + 66 + 2i)) = (1, 1). 
We have the following different cases. 

• Ml = {1,7}, {2, 6} or {3,5}: In this case, ai and Pi can be uniquely determined, but we cannot 
differentiate ai from 8 — (ai + /3i), and 8 — ai from ai + Hence, we can determine neither 
6(129A: + 65 + 2i) nor 6(129A: + 66 + 2i), but just the following: 

(0,0) or (1,1), ri,;^,, G {1,2,3}, 

(0,1) or (1,0), ri,fc,. G {5,6,7}. 

Ml = {4, 1, 7}, {4, 2, 6} or {4,3,5}: In this case, (ai,/3i) has two possible values, so (6(129/c + 
65 + 2i), 6(129fc + 66 + 2i)) cannot be uniquely determined. What we can get is the following: 

(0,0) or (1,1), rl,fc,^ € {1,2,3}, 

{b{129k + 65 + 2i), 6(129fc + 66 + 2i)) = { (0, 1) or (1, 0), n,k,^ G {5, 6, 7}, 

(0,0), (0,1), (1,0) or (1,1), ri,fc,, = 4. 

Ml = {1,2,6,7}: In this case, (ai,/3i) has four possible values (1,1), (1,5), (2,5) or (6,1), so 
(6(129/c + 65 + 2i), b{129k + 66 + 2i)) cannot be uniquely determined, either. What we can get is 
the following: 

(0,0) or (1,1), fi,fc,i = l, 

(0,1) or (1,0), ri,fc,i = 7, 

(0,0), (0,1), (1,0) or (1,1), ri,fc,, G {2,6}. 

Ml = {1,3,5,7}: In this case, (ai,/3i) has four possible values (1,2), (1,4), (3,4) or (5,2), so 
(6(129fc + 65 + 2i), 6(129A: + 66 + 2i)) cannot be uniquely determined, either. What we can get is 



(6(129A; + 65 + 2i), 6(129/c + 66 + 2i)) 



{b(\29k + 65 + 2i), 6(129A; + 66 + 2i)) 
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the following: 

(0,0) or (1,1), ri,fc,i = l, 

ibil29k + 65 + 2i), b{129k + 66 + 2z)) = <! (q, 1) or (1, 0), n^k^i = 7, 

(0,0), (0,1), (1,0) or (1,1), ri,fc,i e {3,5}. 

Ri = {2,3,5,6}: In this case, (ai,/3i) has four possible values (2,1), (2,3), (3,3) or (5,1), so 
(6(129A; + 65 + 2i), b{129k + 66 + 2i)) cannot be uniquely determined, either. What we can get is 
the following: 

(0,0) or (1,1), ri,fc,i = 2, 

{h{\29k + 65 + 2i), 6(129fc + 66 + 2i)) = \ (q, l) or (1, 0), ri,^,^ = 6, 

(0,0), (0,1), (1,0) or (1,1), ri,fc,i G {3,5}. 
7) Summary: As a brief summary, based on the equivalent key obtained in the differential attack, we 
can further determine Ml = {ai, 8— ai, q;i+/3i, 8— (ai+/3i)} and M2 = {02, 8— 02, a2+/32, 8— (a2+/92)} 
with a very high probabihty 1 - i/28^/i5-i. Then, we may be able to uniquely determine the value of 
{am,Pm) {fTi = 1,2) with probability 3/21 = 1/7, or narrow down the number of possible values to 2 
(with probabihty 6/21 = 2/7) or to 4 (with probabihty 12/21 = 4/7). Based on (m = 1, 2), we may 
be able to recover Sm,fc,/ with probability > 1 — 0.1968 ^ 0.8032. In case si ^ ^ and S2,fc,« are uniquely 
determined, we have the following results: 

• Controlling bits (6(129fc + i))f£i2 '^^'^ always be uniquely determined. 

• In case the value of Seedl{k) can be recovered, which happens with probability 1 — 1/2*^, the 
controlling bits (6(129A;+36+2j))J^Q can always be uniquely determined, but (6(129A;+37+2j))J^Q 



can be uniquely determined only when Seed{k,j) € {Seedl{k), Seedl{k)}. 
• None of the controlling bits involved in the bit rotations can be uniquely determined, but we may 
be able to narrow down the number of possible values of the two controlling bits determining each 
bit-rotation operation from 4 to 2 in some cases. 

D. Experimental results 

To verify the real performance of the differential attack proposed in this paper, some experiments were 
carried out with the following randomly selected secret key: ai =2, jdi = 5, 02 = 3, /52 = 4, Secret = 
20, and x(0) = 0.251. Figure [T] shows a 512 x 512 plain-image "Peppers" and the corresponding cipher- 
image. Note that the cipher-image is 1/16 higher than the plain-image due to the data expansion. This 
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plain-image is used as one of the chosen plaintext /q to generate the required chosen plaintext differentials. 
The two differentials used for breaking secret data expansion are shown in Figs. |2l The two differentials 
used for breaking the first eight byte-swapping operations, i.e., the secret bits {b{129k + i)}o<fc<jv/i5-i , 

0<fc<7 

are shown in Fig. [3l The two differentials shown in Fig. |4] and those two shown in Figs. |2] were used 
to obtain an EES. The recovered equivalent key (i.e., all the items shown in Sec. IIII-B.4b was used to 
decrypt a cipher-image as shown in Fig. [5^). The result is given in Fig. [Sj?). It can be seen that the secret 
plain-image was successfully recovered by the differential attack. 




Fig. 1. The plain-image "Peppers" and the corresponding cipher-image: a) the plain-image; b) the cipher image. 



a) 

Fig. 2. The two plaintext differentials for breaking data expansion. 



b) 



IV. Conclusion 

In this paper, we evaluate the security of a recently-proposed multimedia encryption system called 
MCS [28], and propose a differential attack to break it with a divide-and-conquer (DAC) strategy. The 
differential attack is very efficient in the sense that only seven chosen plaintexts are needed to get an 
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a) b) 
Fig. 4. The two plaintext differentials for obtaining the vertical and horizontal bit-operation part of the EES: a) vertical 
bit-operation; b) horizontal bit-operation. 




Fig. 5. The decryption result of another cipher-image encrypted with the same secret key: a) cipher-image; b) decrypted 
plain-image. 



equivalent key and the computational complexity is only 0{N), where N is the number of bytes in the 
plaintext. The real performance of the proposed attack was also verified with experiments. Similar to 
some other image encryption schemes proposed in the literature, the MCS was not designed by following 
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some good principles of designing such systems. Some of these principles are discussed in [33], [36]. 
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